CVE-2025-37995

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-37995

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37995.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-37995

Downstream

BELL-CVE-2025-37995

DEBIAN-CVE-2025-37995

DLA-4271-1

ECHO-16f5-9c8c-33f6

OESA-2025-1625

OESA-2025-1626

OESA-2025-1627

OESA-2025-1628

OESA-2025-1629

SUSE-SU-2025:02249-1

SUSE-SU-2025:02538-1

SUSE-SU-2025:02923-1

UBUNTU-CVE-2025-37995

USN-7654-1

USN-7654-2

USN-7654-3

USN-7654-4

USN-7654-5

USN-7655-1

USN-7686-1

USN-7699-1

USN-7699-2

USN-7711-1

USN-7712-1

USN-7712-2

USN-7721-1

Related

Published

2025-05-29T14:15:36Z

Modified

2025-08-13T00:00:22Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

module: ensure that kobject_put() is safe for module type kobjects

In 'lookuporcreatemodulekobject()', an internal kobject is created using 'modulektype'. So call to 'kobjectput()' on error handling path causes an attempt to use an uninitialized completion pointer in 'modulekobjectrelease()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.

References

Affected packages